Towards Predictive Real-time Multi-sensors Intrusion Alert Correlation Framework

Despite of Network Intrusion Detection System/Sensors (NIDS) deployment in the computer networks to detect various attacks, it raises a serious problem. They generate a high volume of low-quality intrusion alerts when attack scenarios have taken place. Worst, NIDSs cannot extract or even predict sequence of attack scenarios. Thus, alert post-processing or known as Alert Correlation (AC) is much needed to derive current system security. AC aims to identify the complete relationship among intrusion alerts that can reveal the attacker strategy (i.e., sequence of attack scenarios). In this paper, the authors highlight the important research problems in developing AC which has motivate us to propose a new AC framework design that include attack prediction and proactive step in a real-time multiple sensors environment. It is worth mentioning that to complement NIDSs in detecting the incoming attacks, intrusion alert prediction is an exploratory area for future research for the purpose of improving the quality of correlation and predicting the next attacker scenario as a proactive step.